Mind SEC’s new data breach rules, says Finra

Mind SEC’s new data breach rules, says Finra
The industry regulator is urging member firms to start taking appropriate measures as changes to Regulation S-P take effect.
JUN 06, 2024

Finra is calling on all its member firms to take heed and take action as new SEC rules that stiffen expectations around data breaches takes effect.

In an announcement Thursday, the industry self-regulator highlighted the SEC's recent amendments to Regulation S-P, aimed at modernizing and enhancing the protection of consumer financial information.

Announced in mid-May, the changes, which Finra says will impact all member firms, require covered institutions to adopt an incident response program and notify individuals if their sensitive customer information is accessed or used without authorization.

“These amendments apply to broker-dealers (including funding portals), investment companies, registered investment advisers and transfer agents (‘covered institutions’),” Finra said Thursday.

Under the retooled regulation, the SEC expects covered institutions to include an incident response program in their written policies, which should be reasonably designed to detect, respond to, and recover from unauthorized access to customer information.

Additionally, institutions are required to establish and enforce policies for oversight of service providers, including due diligence and monitoring processes.

The SEC also expects firms to notify affected individuals whose sensitive information was, or is likely to have been, accessed without authorization. Those notifications must be sent as soon as practicable, but no later than 30 days after discovering the incident, except in certain limited circumstances.

The amendments to regulation S-P, which have been entered into the Federal Register, also expand the safeguards and disposal rules. Now, those rules cover nonpublic information collected about an institution’s own customers as well as information received from other financial institutions.

Covered institutions must also maintain written records documenting compliance with the safeguards and disposal rules under the amended Regulation S-P.

As wealth firms and financial institutions build ever-growing storehouses of their customers' personal and financial information, data breaches have become a critical issue for even the largest players.

Shortly after the SEC unveiled its cybersecurity rule amendments, Interactive Brokers reported in Massachusetts that it had “identified a business email compromise that resulted in the unauthorized access to a limited amount of consumer personal information.”

JPMorgan made a similar revelation in early May, when it disclosed to the Office of the Maine Attorney General its own discovery of a data breach that exposed names, addresses, Social Security numbers and other sensitive information belonging to more than 451,000 retirement plan participants

Starting from June 3, 2024 – when the Regulation S-P amendments officially got published in the Federal Register – larger entities have 18 months to comply with the new requirements. Smaller firms have relatively more lenient timeframe of 24 months to get up to code.

“FINRA recommends that all member firms review the amendments to ensure their cybersecurity programs are modified, as needed, to come into compliance by the applicable compliance date for their firms,” the statement said.

Latest News

Creative Planning's Peter Mallouk slams 'offensive' congressional stock trading
Creative Planning's Peter Mallouk slams 'offensive' congressional stock trading

"This shouldn’t be hard to ban, but neither party will do it. So offensive to the people they serve," RIA titan Peter Mallouk said in a post that referenced Nancy Pelosi's reported stock gains.

Raymond James hauls Ameriprise advisors managing $1.1B in New York
Raymond James hauls Ameriprise advisors managing $1.1B in New York

Elsewhere, Sanctuary Wealth recently attracted a $225 million team from Edward Jones in Colorado.

Cetera debuts new alts allocation portfolios for accredited investors
Cetera debuts new alts allocation portfolios for accredited investors

The giant hybrid RIA is elevating its appeal to advisors with a curated suite of alternative investment models, offering exposure to private equity, private credit, and real estate.

Steward Partners expands in California with $1.1 billion RIA acquisition
Steward Partners expands in California with $1.1 billion RIA acquisition

The $40 billion RIA firm's latest West Coast deal brings a veteran with over 25 years of experience to its legacy division for succession-focused advisors.

Invictus managers withhold $10M, trigger ERISA asset showdown
Invictus managers withhold $10M, trigger ERISA asset showdown

Invictus fund managers allegedly kept $10 million in plan assets after removal, setting off a legal fight that raises red flags for wealth firms.

SPONSORED How advisors can build for high-net-worth complexity

Orion's Tom Wilson on delivering coordinated, high-touch service in a world where returns alone no longer set you apart.

SPONSORED RILAs bring stability, growth during volatile markets

Barely a decade old, registered index-linked annuities have quickly surged in popularity, thanks to their unique blend of protection and growth potential—an appealing option for investors looking to chart a steadier course through today's choppy market waters, says Myles Lambert, Brighthouse Financial.